What’s stopping DANE? [closed]
As I understand it, DANE (RFC 6698) is a promising candidate for addressing issues with current TLS Trust Anchors (i.e. Trust Anchors).
My attempt at explaining the issue:
Currently, CAs are universal trust anchors and, as a result, are permitted to issue certificates for any site, regardless of TLD or prior existence of a valid cert. DANE would move these trust anchors to the DNS infrastructure where there would be a strict public key hierarchy (e.g. "*" —> "*.com" —> "*.example.com" etc.).
Tying trust to the DNS entry requires that these be secure (from, say, cache poisoning). The proposed standard attempting to solve this is DNSSEC (RFC 5155). It also surprises me that the move towards DNSSEC has not been more rapid given that the current issues with DNS appear to be numerous, well-documented, and potentially quite serious.
The conspiracy theorist in me wants to blame the CA business, which has a vested interest in DANE’s failure, but I’m sure there are more rational explanations.
Basically: What, if anything, is hindering progress/adoption of these RFCs?
Our Awesome Free Tools